These tactics are part of a broader shift. As adversaries increasingly rely on unmanaged infrastructure to evade detection, defenders need containment that works holistically, regardless of how or where the attack begins.
Operating remotely, adversaries can delete backups and deploy additional payloads across the environment, accelerating impact while sidestepping process-based defenses. This technique creates a dangerous blind spot that many organizations struggle to monitor or contain.
File System Containment is not automatically enabled by default to give security teams full control. Enabling it is as simple as checking a single box in the Falcon UI. Once active, Falcon Prevent will block malicious behaviors like mass encryption, suspicious file modifications, and backup deletions targeting SMB shares.
How Ransomware Uses SMB to Evade Detection
Adversaries such as PUNK SPIDER and WANDERING SPIDER have been observed accessing unmanaged systems to remotely encrypt files over SMB shares. In other cases, BGH adversaries dumped credentials from backup tools or staged additional tools for broader compromise. But when they targeted Falcon-protected systems, those same actions were immediately stopped.
To combat this threat, Falcon Prevent includes remote ransomware prevention via File System Containment, which is designed to automatically block ransomware at the file access level, stopping destructive activity even if it originates from outside of your managed environment.
SMB-based ransomware attacks are difficult to stop because they often originate from systems where an endpoint detection and response (EDR) sensor has not been installed, giving adversaries a way to move undetected. Using stolen credentials, attackers can access network shares and trigger file encryption without delivering ransomware to the target endpoint.
Ransomware is a rapidly evolving threat, with attackers increasingly turning to remote techniques that target network shares. To help defend against these tactics, CrowdStrike Falcon® Prevent endpoint security includes a capability called File System Containment, which is precision-focused to block malicious file system actions over Windows Server Message Block (SMB) shares, halting encryption as soon as possible. Threat actors commonly abuse the SMB protocol to encrypt and exfiltrate data across network shares, bypassing traditional protections. These attacks often originate from unmanaged systems or involve compromised credentials, allowing adversaries to move laterally, encrypt sensitive data, and disrupt business operations without executing malicious code directly on a target device.
Stop the Spread with File System Containment
CrowdStrike has observed these techniques across a wide range of ransomware operations in the wild. CrowdStrike research shows access to unmanaged systems was central to big game hunting (BGH) ransomware operations throughout 2024. Adversaries commonly exploit unmanaged internet-facing systems to gain initial access, then locate internal systems for staging, lateral movement, and remote encryption.
Watch how it works:
